Windows patch backfires on the security-minded

Security-conscious Windows users who tweaked the operating system to protect their PCs better are getting hit hardest by a flawed Microsoft patch, experts said Monday.

Microsoft has acknowledged that a patch released last week can cause trouble for some users. It could lock them out of their PC, prevent the Windows Firewall from starting, block certain applications from running or installing, and empty the network connections folder, among other things, the software maker said in an advisory on Friday.

The trouble occurs when default permission settings on a Windows folder have been changed, according to Microsoft. Those changes aren't common, but have been applied by some people to add extra security to their systems, experts said.

Related story

"The flaw in the patch affects users who tightened down access lists," said Johannes Ullrich, the chief research officer at the SANS Institute. "These are typically more-advanced, security-conscious users."

The settings are also likely to be used by businesses with strict access requirements, such as those in the financial services or health care industries, said Vijay Adusumilli, a senior product manager at security software vendor St. Bernard Software. "They tighten settings for security purposes," he said.

"If users made changes to their security settings and tightened them, this patch is going to break a whole lot of software," Adusumilli said. The update simply didn't take into account all the possible Windows user configurations, he said.

The problem may result in more apprehension among users when it comes to applying Windows patches, he noted. "Microsoft's patch quality reputation just started to improve, but I think this is going to dent that a bit," Adusumilli said.

That is worrying, especially with a narrowing amount of time between the release of a software fix and a malicious code attack that exploits the vulnerability related to it, Ullrich said. The narrowing "patch window" has moved people to apply remedies faster.

"Many companies have come to rely on high patch quality to use accelerated deployment procedures for critical patches. But the problems with MS05-051 will make people think twice next time around," Ullrich said.

The flawed update delivered "two strikes against good security," Ullrich said. "First, you get penalized for running an enhanced security template. Next, you get penalized for patching quickly."